Cross-site request forgery (CSRF) is a web application vulnerability that exploits the trust a site places in a user’s browser. The attacker tricks a logged-in victim into causing their browser to send a state-changing request to the target site without the victim’s knowledge.
How CSRF works
The attacker crafts a page or email containing a hidden form, image, or script that triggers a request to the target site. When the victim visits the page while authenticated to the target, their browser dutifully includes session cookies with the request. The target accepts the request as legitimate because it carries valid session credentials. Typical impact: changing the victim’s email or password, transferring funds, deleting data, or performing administrative actions.
A simple example
If the bank at example-bank.co.uk processes transfers via POST /transfer with parameters recipient and amount, an attacker can host the following HTML on any site they control:
<form action="https://example-bank.co.uk/transfer" method="POST">
<input name="recipient" value="attacker-account">
<input name="amount" value="500">
</form>
<script>document.forms[0].submit();</script>If a logged-in customer of the bank visits the attacker’s page, their browser submits the form and the bank server, seeing a valid session cookie, executes the transfer.
Defences
CSRF tokens are unpredictable values bound to the user session and included in every state-changing form. A request without the correct token is rejected. This is the most reliable defence.
SameSite cookies instruct browsers not to send cookies on cross-site requests. SameSite=Lax is the modern default; SameSite=Strict is even safer for sensitive flows.
Re-authentication for high-value actions (password change, large transfer, profile update) blocks CSRF even where token discipline is imperfect.
Origin and Referer header checks add a secondary layer for state-changing endpoints.
Related terms
See also: cross-site scripting (XSS), Burp Suite, and web application penetration testing.
Leave a Reply